No LAN Internet access on 21.02.2 Proxmox LXC

Hi all,

My goal is to provide always on VPN access to a device connected via Ethernet.

I have set up an openwrt Proxmox container as a Wireguard Client. The openwrt WAN interface is connected to vmbr0 (local lan) and openwrt LAN to vmbr1 (usb Ethernet adapter).

I have Internet access on the openwrt router itself (connected to my home router or via Wireguard). I can run diagnostics successfully and can install packages.

I cannot access the Internet from any device which I connect to the LAN port / vmbr1. I get an IP address assigned via DHCP and everything looks ok as far I can tell.

Any suggestions on how I could resolve this issue?

Thank you.

Using a kvm backend would make your setup a lot easier, as you'd no longer depend on your host's kernel to provide essential functionality (e.g. wireguard) in the right way (systcl, sysfs knobs all tuned as expected by OpenWrt).

Yes, it does work using KVM, thank you. I was hoping to get it running under lxc.

It might be an issue with the firewall or something else. I can access Luci from the WAN interface as soon as I boot the container. Normally this is blocked. I've used an lxc/lxd image from here https://uk.lxd.images.canonical.com/images
Thank you.

Got the same Issue, the LXC Container itself can reach the internet. The Clients on the LAN can reach the Gateway and can Lookup DNS but ping is not working. It seems the OpenWRT is not routing.

Its setup on a VPS Server so i only can use LXC and i only got on IP Adress.

Here is my Proxmox Interfaces

auto lo
iface lo inet loopback

iface ens3 inet manual

auto vmbr0
iface vmbr0 inet static
        address XXX.XXX.XXX.171/22
        gateway XXX.XXX.XXX.1
        bridge-ports ens3
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m multiport ! --dport 8006 -j DNAT --to 10.0.0.2
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp -j DNAT --to 10.0.0.2

auto vmbr1
iface vmbr1 inet static
        address 10.0.0.1/30
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/30' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/30' -o vmbr0 -j MASQUERADE
#WAN

auto vmbr2
iface vmbr2 inet static
        address 192.168.5.2/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#LAN

root@ct-openwrt:/# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.5.1'
        option device 'br-lan'
        list dns '192.168.5.1'

config interface 'wan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '10.0.0.2'
        option gateway '10.0.0.1'
        option device 'eth0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option netmask '255.255.255.252'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

root@ct-openwrt:/# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@ct-openwrt:/# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option mtu_fix '1'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'SSH Test'
        option src 'wan'
        option src_dport '6000'
        option dest_ip '192.168.5.182'
        option dest_port '22'

Port Forwardings isnt working too. Anybody got an Idea

Maybe I need to set a static route. Sorry im not good in Networking

Thanks Flow

Got it Working,

downloaded the image via GUI

https://uk.lxd.images.canonical.com/images/openwrt/snapshot/

created the conatainer

pct create 100 /var/lib/vz/template/cache/openwrt.tar.xz --arch amd64 --hostname ct-openwrt --rootfs local-lvm:202 --memory 512 --cores 1 --ostype unmanaged --unprivileged 1

added 2 Networkcards via GUI
added nesting and keyctl

The Snapshot Version did the Trick

BTW in Snapshot is Luci missing

Have Fun